When is a DPIA required?

The GDPR (General Data Protection Regulation) requires organisations to conduct a data protection impact assessment (DPIA) where processing is ‘likely to result in a high risk’ to the rights and freedoms of individuals.

Because the Regulation doesn’t define what ‘high risk’ is, this blog provides examples of processing activities that require a DPIA.

What does ‘high risk’ mean?

Before we provide our examples, we should explain how you can identify high-risk data processing activities.

Or, to be more specific, identifying potentially high-risk data processing activities, because you won’t know for sure that there are information security risks until you’ve completed a DPIA.

You’re therefore performing a broad analysis, looking for – on the one hand – which risks are acceptable – and on the other, processing activities that might endanger data subjects’ rights and freedoms.

You can do this by breaking risk into its two component parts:

  • Probability: the likelihood that the data processing will result in a data breach or privacy violation.
  • Damage: the impact on individuals if a data breach or privacy violation occurs.

Where you set the threshold at which risk becomes ‘high’ is up to you, but the GDPR includes three types of data processing that meet these criteria.

1) Systematic and extensive profiling with significant effects

Systematic processing includes management processes that are used to observe, monitor or control data subjects.

For example, organisations might monitor an employee’s browsing habits to ensure they aren’t using the Internet for illicit purposes.

Likewise, a retailer might use personal data collected about an individual to provide targeted ads.

Not every instance of systematic processing requires a DPIA. That’s because the processing must also be extensive (continual monitoring instead of occasional checks) and have significant effects (the data reveals something sensitive about the individual).

You can define ‘sensitive’ by assessing the damage – be it financial, reputational or emotional – that could be caused if an unauthorised party accessed the personal data.

2) Large-scale use of sensitive information

‘Large-scale’ refers to:

  • A significant number of data subjects.
  • A high volume of personal data; or
  • Storing data for a substantial length of time.

Meanwhile, sensitive information refers to special categories of data or personal data relating to criminal convictions and offences.

3) Large-scale public monitoring

This includes any personal data processing that occurs in a publicly accessible space.

The most prominent example of this is CCTV, but organisations need to be increasingly concerned about the risks identified with dashcam footage and smart technology.

Likewise, the development of ‘smart cities’ will see a surge in public monitoring  subject to DPIAs.

In addition to these types of data processing, the ICO (Information Commissioner’s Office) states that organisations must conduct a DPIA when:

Implementing new technology

This includes processing that involves the innovative use of technologies or the application of modern technology to existing processes.

Examples of this include artificial intelligence and machine learning, self-driving cars and smart technology.

Automated decision-making

Organisations often use automated decision-making to decide whether an individual should be given access to a product or service.

You will often need to conduct a DPIA if these decisions involve processing personal data, but it will be essential if sensitive data is used.

For example, credit checks and mortgage applications use financial data, which poses an especially high risk if compromised, so a DPIA is essential.

Conducting large-scale processing

According to the ICO, all large-scale data processing – not just activities involving sensitive information – should be subject to a DPIA.

Processing biometric or genetic data

Biometric data is usually used to authenticate that someone has appropriate access rights. Face and iris recognition and fingerprint scans are the most common examples.

Physical tests, like heartbeat monitoring and keystroke dynamics, are also considered biometric data.

Similarly, the collection of genetic data (other than that processed by an individual GP or health professional to provide healthcare directly to the data subject) is subject to a DPIA.

This includes data processed to perform medical diagnoses, DNA testing or medical research.

Data matching

This is any activity in which personal data from multiple sources is combined or compared.

The software firm Data Ladder has compiled a detailed list of reasons why organisations might conduct data matching, with fraud prevention and direct marketing being two of the most common.

Conducting invisible processing

This is the processing of personal data that wasn’t obtained directly from the data subject. The rules surrounding this are outlined in Article 14 of the GDPR.

Examples of invisible processing include list brokering, direct marketing and online tracking by third parties.


This is the monitoring of individuals’ movement or behaviour. Depending on the organisation’s aims, it might track location, browsing history, health monitoring or interactions with IoT devices.

Targeting children or vulnerable people

Children and vulnerable people are given special protection under the GDPR.

This includes any personal data processing targeted at them for marketing purposes, profiling and other forms of automated decision-making.

Processing that involves risk of physical harm

The risk related to personal data breaches usually refers to financial, reputational or emotional damages. Still, you must also be aware of physical risks.

For example, if the identity of a whistle-blower was exposed, that person might fear for their safety.

Likewise, if child counselling records were exposed, the affected child’s home life could be made even worse.

Want help with the DPIA process?

Hopefully, you’re now confident of which types of processing require a DPIA. However, you still need to figure out how to conduct one.

The GDPR doesn’t specify a process to follow, so this is where our DPIA Tool helps.

This essential software guides you through the six steps you must complete to ensure your assessment effectively measures the level of risk involved in data processing activities.

You don’t have to be a GDPR expert to complete the assessment. Our DPIA template shows you a DPIA example and outlines the questions you need to ask and how you can find the answers.

It even provides links to the relevant sections of the Regulation, so you can check why each process is necessary.

A version of this blog was originally published on 19 June 2019.